This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.

Ansible: Ingress/Route Settings

Add Route / Endpoint

  1. Add the necessary DNS entries.

  2. Add the route to config.yml:

     abc:   # <- customer
   installations:
     abc:  # <- installation
       routes:
         abc.ch:
         www.abc.ch:
         xyz.ch:              # <= add the new routes here
         www.xyz.ch:          # <=
     abctest:

    The default route ${INSTALLATION}.tocco.ch is added implicitly. Only add it explicitly if you wish to override the default settings.

    Technical note: the default route, if absent, is added by the inventory script (inventory.py).

    Hint

    If a reverse proxy is in front of Nice (e.g. Cloudflare), a route needs to be added still and the type set to proxy:

     abc:  # <- customer
   installations:
     abc:  # <- installation
       routes:
         example.net:
           type: proxy

    Proxies should use https://${INSTALLATION}.tocco.ch as upstream.

  3. Apply change:

    ansible-playbook playbook.yml -t route -l ${INSTALLATION}

Hint

The required TLS certificates are issued automatically in the background. This can take some time though. See Troubleshooting if you run into any issues.

Remove Route / Endpoint

  1. Remove route from config.yml

  2. Apply change:

    ansible-playbook playbook.yml -t route -l ${INSTALLATION}

Common Route Settings

monitoring_enabled

Whether to enabled monitoring.

Valid values: true, false

sso_enable_support_login

Enable login via /support-tocco. Enabled by default for ${installation}.tocco.ch.

Valid values: true, false

hsts_secs

Adjust max-age, in seconds, sent via Strict-Transport-Security header.

hsts_include_subdomains

Set includeSubDomains in Strict-Transport-Security header.

Valid values: true, false

hsts_preload

Set preload in Strict-Transport-Security header.

Dangerous. Read warning on https://hstspreload.org first.

Valid values: true, false

http_request_timeout

Request read timeout enforced by OpenShift.

Examples values: 60s, 3m

Settings can be applyied on customer, installation or route level:

 abc:
   monitoring_enabled: false  # disable for customer
   installations:
     abc:
       monitoring_enabled: true  # re-enable for installation
       routes:
         abc.org:
         www.abc.org:
           monitoring_alert_tocco: false  # do not send alerts for www.abc.org
     abctest: